This article is
targeted at a minor- to non-technical audience, therefor I prefered the use of
simplified examples and extensive explanations.
Also I would like to point out from the start
that the method mentioned here is not considered best practice due to strong
security issues associated with accessing sensitive services through
unencrypted connections (like a VPN) over the internet.
When whitelisting
services hosted on the internet for external partners (i.e. partner platforms,
management services, …) sooner or later the responsible IT-department demands
"the public IP of this party".
Considering that for non-technical staff, any IP looks like the other, this sometimes leads to misunderstandings which may result in the IT-department getting i.e. an internal IP from someone in the 3rd party, being unusable for routing over the internet.
Considering that for non-technical staff, any IP looks like the other, this sometimes leads to misunderstandings which may result in the IT-department getting i.e. an internal IP from someone in the 3rd party, being unusable for routing over the internet.
For this, it is
important to know, how to reliably determine the public IP of the own internet
connection or - in this case - the internet connection of the own
company.
Now, leaving out the
special circumstances of "dynamic IPs" for a moment, the easiest way
to determine this, is using one of the myriad of websites, that offer exactly
this service, for instance:
 |
| Information on the used internet connection, provider and location. |
As you can see
above, it correctly determined my external IP (tempered) as well as the city,
state/region, country and even my ISP (blacked out).
Now, in case of our
example above, considering the external partners have a static and only one
external IP (e.g. internet connection) the only thing necessary is, for someone
of the external party, to visit this website, write down the IP and send it to
the IT-Department of your company.
Once they have whitelisted this IP for the respective services, the external party should be able to access it.
Once they have whitelisted this IP for the respective services, the external party should be able to access it.
Static and Dynamic IPs
As mentioned in the
example above, IPs can be either static or dynamic. This is something important
when it comes to whitelisting a services on basis of IP addresses, because
doing so for a dynamic (meaning "varying") IP could lead to the loss of
access after the external party dis- and reconnects to the internet or their
ISP simply assigns them a new IP address. Logically this will lead to the
IT-department having to adjust this whitelisting as regular as the IP changes -
which can even be daily.
Usually dynamic IPs
are primarily used for domestic and
private internet connections, but also for businesses that don't use a business
tariff or simply an ISP that doesn't offer this service.
So as a conclusion, it is important to make sure, the IP which has to be whitelisted is static or the external party should see if they can acquire such by contacting their ISP.
So as a conclusion, it is important to make sure, the IP which has to be whitelisted is static or the external party should see if they can acquire such by contacting their ISP.
Internal and External IPs
One more trap when
requesting an IP from non-tech staff, is the confusion between an internal and
an external IP. This is usually avoided with the approach suggested above but
still good to keep in mind whenever one sees an IP address and is uncertain whether
it's valid for the particular case or not.
For IPs there are certain standards that help you determine if an IP belongs to an internal (company, home, …) network or the internet.
Following you can see 3 ranges which are reserved for internal networks only and therefor not usable on the internet:
For IPs there are certain standards that help you determine if an IP belongs to an internal (company, home, …) network or the internet.
Following you can see 3 ranges which are reserved for internal networks only and therefor not usable on the internet:
10.0.0.0–10.255.255.255
|
172.16.0.0–172.31.255.255
|
192.168.0.0–192.168.255.255
|
127.0.0.0 -
127.255.255.255
|
As a general disclaimer contrary to the explanation, I
would like to point out that granting access to external parties over the
internet using the IP instead of using a secured and encrypted VPN is
considered risky from a security point of view.
When possible, such a VPN should always be preferred.
I hope this set of
information was helpful for you and would be happy for any comments,
suggestions or feedback.
